Privacy Policy

Version valid from 25/08/2025

§1 General provisions and data controller
1. This Privacy Policy sets out the rules for the processing of personal data by the sonex-meble.pl online store and in connection with the handling of orders and inquiries sent to the Seller (by phone, e-mail or via the contact form), as well as in stationary sales conducted by the Seller.
2. The personal data controller is Sonex Jakub Mirowski, Księdza Konstantego Budkiewicza 51, 05-091, Ząbki, NIP 1182268239, REGON 526205982, e-mail: sonexmeble@gmail.com, tel.: +48 786 402 466, hereinafter referred to as the Administrator.
3. The Administrator processes data in accordance with the GDPR and other relevant provisions of national law, in particular the Act on the provision of electronic services and the provisions on cookies.
4. The Store is hosted on the Shopify platform; Shopify acts as a processor for the Controller and may participate in further processing. Details of recipients and possible transfers outside the EEA (e.g., to Canada/USA using standard contractual clauses) will be provided in the following paragraphs.
5. The policy applies to persons visiting the website, placing orders (standard and large products), contacting the Seller and customers purchasing in a stationary store.
6. The Administrator has not appointed a Data Protection Officer (DPO), unless otherwise indicated in the current version of the Policy. In matters concerning personal data, please contact us using the details in paragraph 2.
7. The current version of the Policy is always available on the website sonex-meble.pl.

§2 Scope of data, sources and categories of persons
1. The Administrator processes personal data of natural persons who:
a) place orders in the Online Store,
b) make a purchase in a stationary store,
c) contact the Seller by telephone, e-mail or via the contact form available on the website,
d) submit complaints, make returns or exercise the right to withdraw from the contract,
e) visit the Store's website and use cookies.
2. Depending on the purpose of processing, the Administrator may collect the following categories of personal data:
• identification data (name, surname, company name, Tax Identification Number),
• address details (residential address, delivery address, billing address),
• contact details (phone number, e-mail address),
• payment details (bank account number in the case of a transfer or refund),
• order details (selected products, delivery method, payment method),
• data provided voluntarily in the content of messages sent to the Seller,
• technical data regarding the use of the website (e.g. IP address, cookies, browser and device information).
3. Customers' personal data comes directly from them, i.e. they are provided voluntarily during the ordering process, when contacting the Seller or when using the website.

§3 Purposes and legal basis of data processing
1. Customers' personal data are processed by the Administrator for the following purposes:
a) execution of the Sales Agreement – ​​including acceptance and processing of the Order, delivery of the Product, payment processing, exercise of the right of withdrawal and complaints;
Legal basis: Article 6(1)(b) of the GDPR (necessary for the performance of the contract).
b) fulfilling the legal obligations incumbent on the Controller – including issuing accounting documents, storing sales receipts, fulfilling tax obligations; Legal basis: Article 6(1)(c) of the GDPR (legal obligation).

c) communication with the Customer and handling enquiries – responding to messages, conducting correspondence, handling telephone and e-mail contact; Legal basis: Article 6(1)(f) of the GDPR (the Administrator's legitimate interest in serving customers).

d) marketing and advertising of products – sending commercial information, newsletters, displaying advertisements, personalising the offer; Legal basis: Article 6 paragraph 1 letter a of the GDPR (Customer's consent) or Article 6 paragraph 1 letter f of the GDPR (legitimate interest of the Administrator, if consent is not required).

e) analyzing and improving the functioning of the Store – keeping statistics, examining website traffic, analyzing shopping preferences, improving the usability and security of the website; Legal basis: Article 6 paragraph 1 letter f of the GDPR (legitimate interest of the Administrator).

f) preventing abuse and pursuing claims – detecting illegal activities, ensuring security, pursuing and defending against claims; Legal basis: Article 6(1)(f) of the GDPR (legitimate interest of the Administrator).
2. If data processing is based on the Customer's consent (e.g. for marketing purposes), the Customer has the right to withdraw consent at any time, which does not affect the lawfulness of the processing carried out before its withdrawal.
§4 Cookies and tracking technologies
1. The online store uses cookies and other similar technologies (such as tracking pixels, web beacons, local browser storage) to:
a) ensuring the proper functioning of the website and individual functionalities,
b) remembering the Customer's preferences and settings,
c) analysis of website use and collection of statistical data,
d) adapting content and advertisements to the Customer's interests,
e) ensuring security and preventing abuse.
2. Cookies may be installed by the Administrator as well as by third parties cooperating with the Administrator, in particular:
• Shopify (e-commerce platform),
• payment system operators,
• analytical service providers (e.g. Google Analytics),
• advertising service providers (e.g. Facebook Ads, Google Ads).
3. The customer may change cookie settings in their web browser at any time, including limiting their use or blocking them completely. However, limiting the use of cookies may affect some of the Online Store's functionalities.
4. Detailed information on the cookies used and their storage periods is available in the cookie settings on the Store website.

§5 Sharing of personal data
1. Customers' personal data may be made available to third parties only to the extent necessary to achieve the purposes specified in §3 of this Policy.
2. The recipients of personal data may be, in particular:
a) Shopify – as the provider of the e-commerce platform supporting the Store,
b) courier and transport companies – to deliver the ordered Products,
c) payment operators – to process online payments and transfers,
d) accounting offices and entities providing accounting or tax services,
e) entities providing legal, advisory and debt collection services in the case of pursuing claims,
f) providers of IT and marketing services, including analytical and advertising systems and tools for communicating with customers.
3. Personal data may also be made available to public authorities authorized under the law (e.g. tax offices, law enforcement agencies).
4. In the case of using additional services (e.g. newsletter, internet marketing), personal data may be transferred to technical or marketing partners cooperating with the Controller – always in accordance with applicable law and to the extent necessary to provide a given service.
5. Personal data is not sold or made available to third parties for marketing purposes without the express consent of the Customer.

§6 Data transfer outside the EEA
1. Customers' personal data are generally processed within the European Economic Area (EEA).
2. In connection with the use of the Shopify platform, personal data may be transferred outside the EEA, in particular to Canada and the United States of America.
3. In the event of transfer of personal data to third countries that do not ensure an adequate level of personal data protection in accordance with the decision of the European Commission, the Controller applies appropriate legal safeguards, such as:
a) standard contractual clauses approved by the European Commission,
b) other mechanisms provided for in the GDPR and accepted by the supervisory authorities.
4. The Customer has the right to obtain a copy of the security measures applied in the transfer of data outside the EEA by contacting the Administrator using the details indicated in §1 section 2 of this Policy.

§7 Data storage period
1. Personal data are stored for the period necessary to achieve the purposes for which they were collected, and then for the period required by law or until the statute of limitations for claims expires.
2. In particular:
a) data related to the execution of the Sales Agreement – ​​for the duration of its validity and after its termination for a period of 5 years (for tax and accounting purposes),
b) data regarding complaints, returns and withdrawals from the contract – for a period of 2 years from the date of consideration of the case,
c) data processed on the basis of consent (e.g. for marketing purposes) – until the consent is withdrawn by the Client,
d) technical and analytical data (e.g. cookies) – in accordance with cookie settings and until they are deleted by the Customer,
e) data used for the purpose of defending or pursuing claims – until the statute of limitations for any claims arising from legal provisions expires.

§8 Rights of data subjects
1. Every person whose data is processed by the Administrator has the right to:
a) access to your personal data – obtain information about what data is processed and for what purpose,
b) rectification of data – correction or supplementation of incorrect or incomplete data,
c) deletion of data ("right to be forgotten") – in the cases provided for in Article 17 of the GDPR,
d) restriction of processing – in the cases specified in Article 18 of the GDPR,
e) data portability – receiving data in a structured format and transferring it to another controller,
f) object to the processing of personal data based on the legitimate interest of the Administrator, including processing for marketing purposes,
g) withdrawal of consent – ​​at any time, if the processing is based on consent, without affecting the lawfulness of processing before its withdrawal.
2. In order to exercise the above rights, please contact the Administrator using the details indicated in §1 section 2 of this Policy.
3. Every data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO) if he or she considers that his or her data is being processed contrary to the law.

§9 Data security
1. The Administrator applies appropriate technical and organizational measures to ensure the protection of processed personal data, in particular protecting them against unauthorized access, loss, destruction or unauthorized modification.
2. In order to ensure the security of personal data, the Administrator uses, among others:
a) connection encryption (SSL/TLS certificate),
b) server and database security systems,
c) procedures limiting access to data only to authorized persons,
d) regular data backups.
3. Personal data is stored and processed in the infrastructure provided by the Shopify platform, which applies its own security measures in accordance with industry standards and personal data protection laws.
4. The Administrator informs that despite the use of advanced security measures, no IT system or data transmission channel over the Internet is completely secure and risk-free.

§10 Children's data
1. The services provided by the Administrator, including the Online Store, are not intended for persons under 16 years of age.
2. The Administrator does not knowingly collect personal data of children.
3. If it is found that the personal data of a child under 16 years of age have been provided to the Controller without the consent of his or her legal guardian, such data will be immediately deleted.
4. Parents or legal guardians who become aware of the child's personal data may contact the Administrator to request their deletion.

§11 Changes to the Privacy Policy
1. The Administrator reserves the right to make changes to this Privacy Policy for important legal, organizational or technical reasons, in particular in the event of changes in legal regulations, data processing methods or technologies used.
2. The amended Privacy Policy will be published on the Store's website at sonex-meble.pl along with the current effective date.
3. The Customer's use of the Store after the changes come into effect constitutes acceptance of the new content of the Policy.

§12 Contact
1. In matters relating to the protection of personal data and in order to exercise the rights referred to in §8 of this Policy, the Customer may contact the Administrator:
a) electronically – to the e-mail address: sonexmeble@gmail.com or by filling out the contact form
b) in writing – to the registered office address: Sonex Jakub Mirowski, ul. Księdza Konstantego Budkiewicza 51, 05-091, Ząbki,
c) by phone – at: +48 786 402 466.
2. The Administrator shall respond to inquiries promptly, no later than within the time limit provided for by law.